Date: Thu, 1 Feb 2018 13:05:47 +1100
From: Atlassian <security@...assian.com>
To: bugtraq@...urityfocus.com
Subject: Advisory - Sourcetree - CVE-2017-14592 CVE-2017-14593 CVE-2017-14592 CVE-2017-17831
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This email refers to the advisory found at
https://confluence.atlassian.com/x/lIIyO.
CVE ID:
* CVE-2017-14592
* CVE-2017-14593
* CVE-2017-17458
* CVE-2017-17831
Product: Sourcetree
Affected Sourcetree product versions:
Sourcetree for macOS 1.0b2 <= version < 2.7.0
Sourcetree for Windows 0.5.1.0 <= version < 2.4.7.0
Fixed Sourcetree product versions:
* Versions of SourceTree for macOS, equal to and above 2.7.0 contain a fix for
this issue.
* Versions of SourceTree for Windows, equal to and above 2.4.7.0 contain a fix
for this issue.
Summary:
This advisory discloses critical severity security vulnerabilities.
Customers who have upgraded Sourcetree for macOS to version 2.7.0 are not
affected.
Customers who have upgraded Sourcetree for Windows to version 2.4.7.0 are not
affected.
Customers who have downloaded and installed Sourcetree for macOS starting with
1.0b2 before version 2.7.0
Customers who have downloaded and installed Sourcetree for Windows starting with
0.5.1.0 before version 2.4.7.0
Please upgrade your Sourcetree for macOS or Sourcetree for Windows installations
immediately to fix the vulnerabilities mentioned in this advisory.
Sourcetree for macOS - Various argument and command injection issues
(CVE-2017-14592)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description:
Sourcetree for macOS had several argument and command injection bugs in
Mercurial and Git repository handling. An attacker with permission to commit to
a repository linked in Sourcetree for macOS is able to exploit this issue to
gain code execution on the system.
- From version 1.4.0 of Sourcetree for macOS, this vulnerability can
be triggered
from a webpage through the use of the Sourcetree URI handler.
Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are
affected by this vulnerability.
This issue can be tracked at https://jira.atlassian.com/browse/SRCTREE-5243.
Acknowledgements:
Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to
us.
Sourcetree for Windows - Various argument and command injection issues
(CVE-2017-14593)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate, or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.
Description:
Sourcetree for Windows had several argument and command injection bugs in
Mercurial and Git repository handling. An attacker with permission to commit to
a repository linked in Sourcetree for Windows is able to exploit this issue to
gain code execution on the system. From version 0.8.4b of Sourcetree for
Windows, this vulnerability can be triggered from a webpage through the use of
the Sourcetree URI handler. Versions of Sourcetree for Windows starting with
0.5.1.0 before version 2.4.7.0 are affected by this vulnerability.
This issue can be tracked at https://jira.atlassian.com/browse/SRCTREEWIN-8256.
Acknowledgements:
Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to
us.
Sourcetree for macOS and Windows - Mercurial: arbitrary command execution in
mercurial repositories with a git submodule (CVE-2017-17458)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate, or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.
Description:
The embedded version of Mercurial used in Sourcetree for macOS and Sourcetree
for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue
if they commit to a Mercurial repository linked in Sourcetree for macOS or
Sourcetree for Windows by adding a git subrepository specifying arbitrary code
in the form of a .git/hooks/post-update script. This allows the attacker to
execute arbitrary code on systems running a vulnerable version of Sourcetree for
macOS or Sourcetree for Windows. Sourcetree for macOS and Sourcetree for Windows
perform background indexing, which allows for this issue to be exploited without
a user needing to directly interact with the git subrepository. From version
1.4.0 of Sourcetree for macOS and 0.8.4b of Sourcetree for Windows, this
vulnerability can be triggered from a webpage through the use of the Sourcetree
URI handler.
Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are
affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/SRCTREE-5244.
Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0
are affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/SRCTREEWIN-8257.
Acknowledgements:
Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to
us.
Sourcetree for macOS and Windows - Git LFS: Arbitrary command execution in
repositories with Git LFS enabled (CVE-2017-17831)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate, or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.
Description:
The embedded version of Git LFS used in Sourcetree for macOS and Windows was
vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can
commit to a git repository linked in Sourcetree for macOS or Sourcetree for
Windows by adding a .lfsconfig file containing a malicious lfs url. This allows
them to execute arbitrary code on systems running a vulnerable version of
Sourcetree for macOS or Sourcetree for Windows. This vulnerability can also be
triggered from a web page through the use of the Sourcetree URI handler.
Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are
affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/SRCTREE-5246.
Versions of Sourcetree for Windows starting with 1.7.0 before version 2.4.7.0
are affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/SRCTREEWIN-8261.
Remediation:
Atlassian recommends that you upgrade to the latest version of Sourcetree:
* To version 2.7.0 or higher for macOS.
NOTE: Mac OSX 10.11 or later is requred for Sourcetree 2.5.0 or later.
* To version 2.4.7.0 or higher for Windows and manually uninstall any older
versions of Sourcetree. If you are using the embedded version of Git and or
Mercurial, then after updating Sourcetree you should update the embedded
version. To update the embedded version of Git select "Options" from the "Tools"
menu, then click on the Git tab and then click on the 'Update Embedded Git'
button. To update the embedded version of Mercurial select "Options" from the
"Tools" menu, then click on the Mercurial tab and then click on the 'Update
Embedded Mercurial' button. If you are using the system provided Git and or
Mercurial please ensure that you keep the system version up to date.
For a full description of the latest version of Sourcetree, see the release
notes for macOS and Windows. You can download the latest versions of Sourcetree
from the Sourcetree website (https://www.sourcetreeapp.com/).
Support:
Atlassian supports SourceTree through the Atlassian Community. If you
have questions or concerns regarding this advisory, go to
https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree .
-----BEGIN PGP SIGNATURE-----
iQI0BAEBCgAeBQJacnTRFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
UnagRVMP+wYbUmsqAjbFuK3vbZRcjwaoo/FknLQIWnEvaMNJZGF0T+g3u0tLISEP
DhHHbccmQETaLEK3Cb6XgCLrKP+bBXPywTb1eryP1hkLTf+kMwuD80cYKwHI3c2t
vP3eUiCsj6UKnnDJqY3Io3Bt+y/zO0Eh6llOmPK+uFgH9LHjVXLGRkgnFwbsMZq2
J1/Q8Z7SaOA7E6GTuVIMKuZ2phgvsMCPqEymmgWNH8CYFAjfnFDNwyYDnA2YWdzk
53uXj0OKcdZh47frRPdaEX+nB7T51fHXBSfRpePNFs8lfjMFXX+P96JK6sKXK4mo
rZ5hkokxPOFzlCZfRONxniVviQ2LnvbpfIire2JldJE8bksmleaQH4QfptfKA1/6
6ty0R0SKnxHalRyxTbf1YLxpjNyJbnYy9ljQ/hETdDGwqN+XDV2600bWsLoxO5Yi
sXBK5cvDWeXfcEyjpEBDpFlIZZIAJ1r2qZKSycJlQhhQrNRaKRm+ckQmjnhM6zaK
GecIcL12MeeGt5ktzWBLxGxA1848MnhuSonHkGAycQ5tPDnPJ4aeyfGn5oJa0Cgx
AAxj8t/1T5ww5iC2amGtCIpAFESyUdqS4ST0FFixs9zD+xxCXh1o/V1gq6y+ufcX
y76oHGRSID6agxF+cTXmYoa2OdC9By8nzsOc/Gd4xKz40hTDeTlk
=6DwX
-----END PGP SIGNATURE-----